INTERNAL AUDIT ANNUAL PLAN 2021 – 22 & STRATEGIC PLAN 2021 – 24 - DRAFT

RUSHCLIFFE BOROUGH COUNCIL

2

Page

Audit Risk Assessment 3

Mapping Your Risk Assessment 4

Mapping Your Corporate Risk Register 5

Internal Audit Operation Plan 2021 - 22 7

Internal Audit Strategic Plan 2021 - 23 14

Appendix I – Internal Audit Charter 21

CONTENTS

3

Background

Our risk based approach to Internal Audit uses the Council’s own risk management process and risk register as a starting point for audit planning as this represents the client’s own assessment of the risks to it achieving its strategic objectives.

The extent to which we can rely on management’s own perception of risk largely depends on the maturity and effectiveness of the Council’s own risk management arrangements.

Planned approach to internal audit plan 2021 - 22

The indicative Internal Audit programme for 2021 - 22 is shown from page 7, with an indicative strategic plan for 2021 - 24 shown from page 12. We will keep the programme under continuous review during the year and will introduce to the plan any significant areas of risk identified by management during that period.

The plan is set within the context of a multi-year approach to internal audit planning, such that all areas of key risks would be looked at over a three year audit cycle. In setting the number of days in the plan we have assumed that the control environment within the Council will improve as we work with you to address the issues you have.

Individual audits

When we scope each review, we will reconsider our estimate for the number of days needed to achieve the objectives established for the work and to complete it to a satisfactory standard in light of the control environment identified within the Council. Where revisions are required, we will obtain approval from the appropriate Executive Director prior to commencing fieldwork.

In determining the timing of our individual audits we will seek to agree a date which is convenient to the Council and which ensures availability of key management and staff.

Variations to the Plan

We review the three year strategic plan each year to ensure we remain aware of your ongoing risks and opportunities. Over the coming pages we have mapped your key risks along with the audit work we are undertaking, demonstrating we are focusing on your most important issues.

AUDIT RISK ASSESSMENT

OF 2018/19 WORK

4

Ref Risks from you CRR Risk Score

1 Revaluation of major business rate payer 12

2 Failure to prevent or detect fraud and corruption 4

3 Failure to properly manage and deliver significant projects 4

4 Failure to comply with General Data Protection Regulation 6

5 Failure of business continuity 6

6 Failure to properly deal with community governance review legislation, Community Right to Challenge, and nominations for assets of community value

4

7 ICT supplier goes out of business 6

8 Failure of internal health and safety compliance or enforcement of health and safety

3

9 Increased demand for services 9

10 Failure to safeguard children and vulnerable adults 3

11 Disruption and lack of fuel preventing collection of domestic waste

2

12 Lack of implementation of financial controls 6

13 Significant malfunction of core services/security risk at Council’s temporary accommodation premises

4

14 Cost of defending appeals for large scale residential developments and potential award of costs

2

15 Inadequate Capital Resources 12

16 Risk and Return from Asset Investment Strategy 9

17 Failure to deliver the Transformation Strategy 12

18 Threat of Major Successful Cyber- Attack 12

19 Unforeseen incident of happening at Public Events 8

MAPPING YOUR CORPORATE RISKS

5

Ref Risks from your CRR 2021/22 2022/23 2023/24

CRR_FCS05 Revaluation of major business rate payer

- Corporate Governance

- Risk Management

CRR_FCS03 Failure to prevent or detect fraud or corruption - Fraud Report - Fraud Report - Fraud Report

CRR_FCS20 Failure to properly manage and deliver significant projects

- Hybrid Mail Project Review

- Meritec Project Review

- Project Management

CRR_FCS28 Failure to comply with General Data Protection Regulation

- GDPR

CRR_NS10 Failure of business continuity - Business Continuity

& Disaster Recovery

CRR_FCS01

Failure to properly deal with community governance review legislation, Community Right to Challenge, and nominations for assets of community value

- Assets of Community Value

CRR_FCS23 ICT supplier goes out of business - Contract

Management and Procurement

CRR_NS08 Failure of internal health and safety compliance or enforcement of health and safety

- Environment - Health and Safety

CRR-FCS11 Increased demand for services - Channel Shift

- Car Parking - Car Parking

CRR_CO03 Failure to safeguard children and vulnerable adults - Safeguarding

(Children and Vulnerable Adults)

MAPPING YOUR RISKS TO THE STRATEGIC PLAN

6

OR_NS02

Disruption and lack of fuel preventing collection of domestic waste

- Waste and Recycling

- Fleet Management and Air pollution

- Waste and Recycling

OR_FCS07 Lack of implementation of financial controls

- Housing Benefits - Main Financial

Systems in. Payroll, Council Tax/NNDR/Treasury Management

- Country Parks Income Review inc. Lark in the Park

- Main Financial Systems

- Markets

- Main Financial Systems in. Payroll, Council Tax/NNDR/Treasury Management

OR_NS20

Significant malfunction of core services/security risk at Council’s temporary accommodation premises

- Homelessness and Temporary Accommodation

OR_CO04

Cost of defending appeals for large scale residential developments and potential award of costs

- Planning and s106

CRR_FCS08 Inadequate Capital Resources

CRR_FCS12 Risk and Return from Asset Investment Strategy - Governance of

Partnership Arrangements

CRR_FCS13 Failure to Deliver the Transformation Strategy - Budgetary Control

CRR_FCS27 Threat of Major Successful Cyber- Attack - Cyber Security

CRR_NS09 Unforeseen incident of happening at Public Events - Events Management

7

Area Days Timing Description of the Review Reason for Inclusion

1. Efficient Services

Contract Management and Procurement

15 Q1

Contract:

• Review will look directly at the contract management processes in place for two of the largest contracts the Council has, Streetwise Environmental Ltd, whom they paid c£425k in Q2 of 2019/20; and, Lex/Parkwood Leisure Ltd who they paid c£16.5k in Q2 of 2019/20. For these two contracts we will review the procurement process and how this followed through into the contract management

• Review contract management meetings and interview key stakeholders

• Review contracts in place and whether they are approved and complied with

• Observe contract management meetings and assess if these are effective

Procurement:

• Review procurement exercises vs. protocols for compliance

• Review the Strategy vs. progress and reporting

• Review counter fraud controls in process for adequacy

• Review communication channels with the external procurement advisers, Welland Procurement

• Based on discussion with the Council this audit is considered high priority due to the upcoming re-procurement of the Streetwise Contract. It is therefore a key area for audit to ensure procurement processes are adequate prior to the procurement taking place.

INTERNAL AUDIT OPERATIONAL PLAN 2021-22

8

Corporate Governance

15 Q2

• Review the Governance structure and ensure that this is operating reasonably against CIPFA Good Governance Code

• Assess the SIP Plans in place and if these are developed and managed effectively

• Review the process to identify performance measures and test the data which feeds into them

• Observe the meetings where performance is discussed and assess if this is effective

• Interview key personnel involved in the process

• Assess whether reporting is frequent, comprehensive and effective to identify performance issues and focus actions to mitigate risks.

• Major risk to all authorities given the importance of good governance and greater challenges and scrutiny placed on governance decisions within the Council and by the public nationally

• The above risk will increase as Councils become, as you are, more commercial and face greater financial challenges

Fraud Report 10 Q1

• Review of the Strategy in place and challenging how this was formed

• Comparison to our understanding of the Council’s activities and emerging risks we see across the public sector

• Interview key personnel lead specialists to understand how they identify and mitigate fraud risks

• Risk to all Councils and identified as a corporate risk

• This includes corporate fraud and benefits fraud

• Council take part in NFI

• CIFAS reporting in 2019 the rise of local authority fraud and lack of identification across the sector

Business Continuity and Disaster Recovery

13 Q3

• Review Council arrangements for the overall Business Continuity and Disaster Recovery Plan.

• This includes how this Plan interacts with local service plans and whether there is adequate oversight that these all remain up-to-date, regularly assessed and/or

• Departmental arrangements updated in 2020

• Identified as key corporate risk across 4 different areas which spans Council arrangements and those with partners such as local resilience forum

9

tested via desktop scenarios or live testing.

• A critical focus will be on where arrangements link to supplier system/arrangements and the strength of these.

GDPR 15 Q4

• We will assess whether your GDPR readiness arrangements are sound vs. the ICO requirements. There will then be a significant focus on how the Council ensure they are compliant which will include sample testing data from different parts of the Council to ensure it is now compliant.

• We will also assess the arrangements in place to ensure there is sufficient staff capacity to meet requirements, how reporting is effective and how lessons learned are shared to ensure good/poor practice is promoted/stamped out.

• National risk to all Councils

• Timely review to assess the embeddedness of GDPR post previous Internal Audit reports

Hybrid Mail Project Review

12 Q1

• We will interview key personnel charged with the responsibility of managing the project

• Review minutes and reports issued to senior management about project progress

• Assess the KPIs related to the project and whether these are being appropriately monitored

• This is a large project and consequently is a higher financial and reputational risk to the Council

• Receipt of mail is key to support effective services

Main Financial Systems inc. Payroll, Council Tax/NNDR and

20 Q2

To include payroll: • Assess the adequacy of payroll policies and

procedure guides in place – particularly around new starters and leavers

• Main financial system areas are a critical risk

• The payroll function is outsourced to Gedling Borough Council so there is a

10

Treasury Management

• Sample test employees to review whether they have been paid correctly based on the input information

• Review management reporting of payroll information

To include Council Tax/NNDR: • Council tax and NNDR policies i.e. council

tax reduction scheme in terms of its review and approval

• VOA returns back to what is recorded on systems

• The process to issue demands and whether discounts or values have been applied correctly

• How amendments to demands are actioned and critically how they are followed up

• Assess KPI reporting on this area and how action is implemented

To include Treasury Management: • Treasury arrangements reviewed from

Strategy to Member training or controls around how deals are reviewed/approved

reliance on accurate and timely information

• Incorrect payments to staff could result in significant reputation damage

• This is a staple review that is incorporated in all local authority audit plans across the country. This is because it is a recognised risk area as it contains critical controls which underpin the integrity of a Council

• National trends inform us that there is a variety of practices with how funds are recovered particularly in council tax

TOTAL 100

11

Area Days Timing Description of the Review Reason for Inclusion

2. Quality of Life

Homelessness and Temporary Accommodation

12 Q4

• Review of Homelessness Strategy 2015-2020 in terms of monitoring, reporting and escalation

• Select samples of homelessness cases and ensure they are processed in-line with protocols

• Review the additional Officer time needed to comply with new procedures i.e. Actions on preventions and relief and if capacity/training is robust

• Review additional DCLG reporting and data validity

• Joint Homelessness Strategy across South Nottinghamshire

• Rise in cases especially single women

• Homelessness Reduction Bill places new responsibilities on Councils to support individuals

• National figures for temporary accommodation rising and in Q1 in 2019-20 the figure was 84,740 which is the highest figure for over a decade

Housing Benefits 12 Q3

• Assessment of benefit cases against evidence retained on systems

• Work closely with external audit and understanding any risks/concerns they may have raised in their review of your benefit claim

• Review your processes around staff capacity and capability and structure to reduce processing times

• Assess reporting information in this area and how local operational and senior strategic teams assess performance and whether information reporting is robust and effective to make improvements

• Universal credit has been deferred by Government however still uncertainty over the programme and what this means

TOTAL 24

12

Area Days Timing Description of the Review Reason for Inclusion

3. Sustainable Growth

Planning and s106 10 Q3

• Select a sample of planning applications across minor, major and others to assess whether legislative and system protocols are adhered to

• Review the data behind reported information for accuracy and completeness and assess the effectiveness of the oversight/scrutiny of data

• Review steps taken to engage with Members and stakeholders in the process

• National risk for all local authorities given the importance of housing and commercial development

• Large reputational impact where Councils do not have sound arrangements to meet Planning Inspectorate and internal procedure and Member/public expectations

• Often a tension area between management and Members in authorities which can have a wider impact on relationships

TOTAL 10

13

TOTAL 134

Area Days Description

Reporting and Follow up

Management Time 10 Development of Annual Plan, attendance at Governance Scrutiny Group and QA of audits.

Follow Up 6 Follow-up and report all Medium and High recommendations quarterly including those of the predecessor.

TOTAL 16

GRAND TOTAL 150

14

Area 2021- 22 2022 - 23 2023- 24 Description of the Review

Risk Management

12

• Use our Risk Maturity Toolkit to advise where the Council sit in terms of risk management on a five-point scale from Naive to Enabled

• Assess how the Council system is used and if risks are engaged with well and updated effectively to manage and mitigate risks

• Interview key personnel involved in the process

Corporate Governance

15

• Review the Governance structure and ensure that this is operating reasonable against CIPFA Good Governance Code

• Assess the SIP Plans in place and if these are developed and managed effectively

• Review the process to identify performance measures and test the data which feeds into them

• Observe the meetings where performance is discussed and assess if this is effective

• Interview key personnel involved in the process

• Assess whether reporting is frequent, comprehensive and effective to identify performance issues and focus actions to mitigate risks.

Fraud Report 10 10 10

• Review of the Strategy in place and challenging how this was formed

• Comparison to our understanding of the Council’s activities and emerging risks we see across the public sector

• Interview key personnel lead specialists to understand how they identify and mitigate fraud risks

Project Management

12

• Review Project Management Framework and assess whether this is widely circulated to project managers

• Review the Bingham Leisure Centre and Crematorium projects specifically

• Review minutes of oversight groups and reporting mechanisms

Business Continuity and Disaster Recovery

13

• Review Council arrangements for the overall Business Continuity and Disaster Recovery Plan.

• This includes how this Plan interacts with local service plans and whether there is adequate

INTERNAL AUDIT STRATEGIC PLAN

2020 - 23

15

oversight that these all remain up-to-date, regularly assessed and/or tested via desktop scenarios or live testing.

• A critical focus will be on where arrangements link to supplier system/arrangements and the strength of these.

GDPR 15

• We will assess whether your GDPR readiness arrangements are sound vs. the ICO requirements. There will then be a significant focus on how the Council ensure they are compliant which will include sample testing data from different parts of the Council to ensure it is now compliant.

• We will also assess the arrangements in place to ensure there is sufficient staff capacity to meet requirements, how reporting is effective and how lessons learned are shared to ensure good/poor practice is promoted/stamped out.

Contract Management and Procurement

15

• Contract:

• Review will look directly at the contract management processes in place for two of the largest contract the Council has, Streetwise Environmental Ltd, whom they paid c£425k in Q2 of 2019/20; and, Lex/Parkwood Leisure Ltd who they paid c£16.5k in Q2 of 2019/20. For these two contracts we will review the procurement process and how this followed through into the contract management

• Review contract management meetings and interview key stakeholders

• Review contracts in place and whether they are approved and complied with

• Observe contract management meetings and assess if these are effective

• Procurement:

• Review procurement exercises vs. protocols for compliance

• Review the Strategy vs. progress and reporting

• Review counter fraud controls in process for adequacy

• Review communication channels with the external procurement advisers, Welland Procurement

Environment 12

• Review of all Council policies and overall strategies to set, approve and achieve environmental aims

• This will include interviewing key stakeholders and Members who may champion this area

• Compare your arrangements to other local authorities

• This will be an assessment of certain areas in a deeper dive way i.e. how you think about staff and supplier impacts on the environment and improve your arrangements to achieve a more

16

environmentally friendly outcome in your area

• Assess your corporate reporting in this area and how this is owned, monitored and actioned

• Assess the preparation for the Environment Bill and the strategy in place to ensure compliance with it

Health and Safety

12

• Review Health and Safety Policies – how these were produced, what do they cover, were they approved and do staff understand them

• Assess training in this area and whether arrangements are effective

• Review how incidents are reported and then managed/escalated

• Assess how sites are maintained to ensure they are safe. This includes Council offices and Council housing properties

• Assess performance indicator information and reporting to management groups who assess this. We will review minutes and interview key stakeholders

• Understand and assess how the Council assess contractor risks in this area

Channel Shift 12

• This will be a review of documentation related to the channel shift agenda, including strategies, performance frameworks, activity and financial data, reports to Councillors and funding bids for channel shift projects. We will also review the Digital Strategy in terms of Channel Shift and whether progress against projects is captured, monitored and reported correctly. This will encompass the effectiveness of communication between the Customer Services and the IT teams.

• A critical challenge with channel shift is assessing effectiveness as identifying savings can be difficult so the review will focus on the source data which feeds into reports and its accuracy and completeness.

Safeguarding (Children and Vulnerable Adults)

12

• Review to identify how the Council identifies all roles and activities which may have impact on safeguarding concerns. From here to assess the controls around training and re-training and different levels of training depending on the type needed.

• Assess governance arrangements, who attends and how decisions and actions are taken to ensure safeguarding is appropriate.

• Review relationship with section 11 forms and reporting to Adult and Children Safeguarding Boards i.e. representatives.

• We will also review the impact covid has had on safeguarding and whether there have been controls adopted to identify these such as poverty, support networks in place, unsuitable accommodation and Domestic abuse.

17

Waste and Recycling

12

• Review reporting and governance around bin collection as a whole

• This includes assessing the validity of data collected and reported through to the Finance and Performance Committee

• Assess how bin rounds, staffing and weather challenges are managed and escalated as necessary

• Review customer satisfaction arrangements

• Understand and assess arrangements to pick up complaints and action these and also Member concerns picked up from residents/Surgeries they hold.

• Review income collection and reconciliation procedures for green wasted collection

Housing Benefits 12

• Assessment of benefit cases against evidence retained on systems

• Work closely with external audit and understanding any risks/concerns they may have raised in their review of your benefit claim

• Review your processes around staff capacity and capability and structure to reduce processing times

• Assess reporting information in this area and how local operational and senior strategic teams assess performance and whether information reporting is robust and effective to make improvements

Homelessness and Temporary Accommodation

12

• Review of Homelessness Strategy 2015-2020 in terms of monitoring, reporting and escalation

• Select samples of homelessness cases and ensure they are processed in-line with protocols

• Review the additional Officer time needed to comply with new procedures i.e. Actions on preventions and relief and if capacity/training is robust

• Review additional DCLG reporting and data validity

Planning and s106

10

• Select a sample of planning applications across minor, major and others to assess whether legislative and system protocols are adhered to

• Review the data behind reported information for accuracy and completeness and assess the effectiveness of the oversight/scrutiny of data

• Review steps taken to engage with Members and stakeholders in the process

Assets of Community Value

10

• We will assess whether if an asset is listed and then comes up for sale, the new right will give communities that want it a total of 6 months to put together a bid to buy it (including a 6-week cut-off for an initial proposal to be put

18

forward)

• Whether those who can legally have a right to challenge are engaged with i.e. parish councils, neighbourhood forums and community interest groups

• Assess whether challenges are received, processed, reviewed and approved appropriately

Markets 12

• Assess the formal cash collection process in place at the market

• Liaise and visit the external suppliers to understand their arrangements once the cash is collected, including security of the cash

• Sample test 15 market cash collection cases

Country Parks Income Review inc. Lark in the Park

10

• Assess the formal cash collection process in place at the Rushcliffe Country Park

• Liaise and visit the external suppliers to understand their arrangements once the cash is collected, including security of the cash

• Sample test 15 Rushcliffe Country Park cash collection cases

Hybrid Mail Project Review

12

• We will interview key personnel charged with the responsibility of managing the project

• Review minutes and reports issued to senior management about project progress

• Assess the KPIs related to the project and whether these are being appropriately monitored

Car Parking 12

• Review processes to approve and then communicate parking charges

• Assess how parking is charged and then the collection of this to ensure it is accurate and complete

• Review parking data to ensure it is valid and correct to inform decision making

Main Financial Systems inc. Payroll, Council Tax/NNDR and Treasury Management

20 20 18

To include payroll:

• Assess the adequacy payroll policies and procedure guides in place – particularly around new starters and leavers

• Sample test employees to review whether they have been paid correctly based on the input information

• Review management reporting of payroll information

To include Council Tax/NNDR:

• Council tax and NNDR policies i.e. council tax reduction scheme in terms of its review and approval

• VOA returns back to what is recorded on systems

• The process to issue demands and whether discounts or values have been applied

19

correctly

• How amendments to demands are actioned and critically how they are followed up

• Assess KPI reporting on this area and how action is implemented

To include Treasury Management:

• Treasury arrangements reviewed from Strategy to Member training or controls around how deals are reviewed/approved

Fleet Management & Air Pollution

13

• Rushcliffe has 23 frontline refuse collection vehicles ranging from 15 to 32 Gross Vehicle Weight vehicles.

• This review will assess the Council’s Fleet Management processes in place and ensure there is an adequate fleet management strategy in place to manage fleet adequately. We will review the processes the Council has used to become carbon neutral and support its green infrastructure.

Budgetary Control

13

• Review the Council's budget monitoring and setting process. This review would also focus on arrangements to achieve efficiencies in budgets and whether all opportunities are identified and that assumptions are based on reasonable and reliable data

Events Management

12

• Assess the systems, procedures and resilience of the events management staff/software to achieve the objectives set out; this includes the governance, strategies and operational controls for events management

Governance of Partnership Arrangements

15

• There has been a growth of place-based and themed partnership arrangements. These have largely been designed to implement and administer arrangements within defined areas focussed upon common objectives including: The Joint Planning and Advisory Board (Nottingham City, Nottinghamshire County Council, Broxtowe BC, Gedling BC, Erewash DC and Rushcliffe BC). We will review the key aspects of the partnerships governance arrangements and monitoring/management in place.

Cyber Security 20

• This review will verify whether adequate procedures are in place to classify/secure the Council’s data security assets. It will also review whether threats to the Council are adequately identified and procedures are in place to prevent vulnerabilities being exploited.

Meritec Project Review

12

• We will interview key personnel charged with the responsibility of managing the project

• Review minutes and reports issued to senior management about project progress

20

• Assess the KPIs related to the project and whether these are being appropriately monitored

Total 134 134 137

Planning, Reporting and Follow up

Planning/ liaison/ management

10 10 10 Development of Annual Plan, attendance at Governance Scrutiny Group and QA of audits.

Recommendation follow up

6 6 6 Follow-up and report all Medium and High recommendations quarterly including those of the predecessor.

Total 16 16 16

Grand Total 150 150 153

21

APPENDIX I Internal Audit Charter - Role and Scope of Internal Audit

Purpose of this charter

This charter is a requirement of Public Sector Internal Audit Standards (PSIAS).

The charter formally defines internal audit’s mission, purpose, authority and responsibility. It

establishes internal audit’s position within Rushcliffe Borough Council and defines the scope of

internal audit activities.

Final approval resides with the Board, in practice the charter shall be reviewed and approved

annually by management and by the Governance Scrutiny Group on behalf of Rushcliffe Borough

Council [the Council]

Internal audit’s mission

Internal audit’s mission is to enhance and protect organisational value by providing risk-based and

objective assurance, advice and insight.

Standards of internal audit practice

To fulfil its mission, internal audit will perform its work in accordance with PSIAS, which encompass

the mandatory elements of the Institute of Internal Auditors (IIA) International Professional

Practices Framework (IPPF): Definition of Internal Auditing, Code of Ethics, and International

Standards for the Professional Practice of Internal Auditing.

Internal audit definition and role

Internal auditing is an independent, objective assurance and consulting activity designed to add

value and improve an organisation’s operations. It helps an organisation accomplish its objectives

by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk

management, control and governance processes.

Internal audit acts primarily to provide the Governance Scrutiny Group with information necessary

for it to fulfil its own responsibilities and duties. Implicit in internal audit’s role is that it supports

management to fulfil its own risk, control and compliance responsibilities. The range of work

performed by internal audit is set out in PSIAS and not repeated here.

Internal audit’s scope

The scope of internal audit activities includes all activities conducted by the Council. The Internal

Audit Plan sets out those activities that have been identified as the subject of specific internal

audit engagements.

The provision of assurance services is the primary role for internal audit in the UK public sector.

This role requires the chief audit executive to provide an annual internal audit opinion based on an

objective assessment of the framework of governance, risk management and control.

22

Assurance engagements involve the objective assessment of evidence to provide an independent

opinion or conclusions regarding an entity, operation, function, process, system or other subject

matter. The nature and scope of the assurance engagement are determined by internal audit.

Consulting engagements are advisory in nature and are generally performed at the specific request

of management, with the aim of improving governance, risk management and control and

contributing to the overall opinion. The nature and scope of consulting engagement are subject to

agreement with management. When performing consulting services, internal audit should maintain

objectivity and not assume management responsibility.

Effective internal audit

Our internal audit function is effective when:

• It achieves the purpose and responsibility included in the internal audit charter

• It conforms with the Standards

• Its individual members conform with the Code of Ethics and the Standards

• It considers trends and emerging issues that could impact the organisation.

The internal audit activity adds value to the Council (and its stakeholders) when it considers

strategies, objectives and risks, strives to offer ways to enhance governance, risk management and

control processes and objectively provides relevant assurance.

We will agree with you an audit plan for a total number of days activity. Once agreed, we will turn

this into a cash budget which we will work to, in order to ensure that you have certainty around the

fees you will pay us.

Independence and internal audit’s position within Rushcliffe Borough Council

The Internal Audit function within Rushcliffe Borough Council is currently provided by BDO LLP, a

limited liability partnership providing, accounting, audit and assurance, tax and financial advisory

services. The Head of Internal Audit function is provided by Greg Rubins, a partner in BDO.

To provide for internal audit’s independence, its personnel and external partners report to the

Head of Financial Services, who reports functionally to the Governance Scrutiny Group and provides

day to day oversight of the contract with BDO. The Head of Internal Audit has free and full access

to the Chair of the Governance Scrutiny Group.

The appointment or removal of the Head of Internal Audit will be performed in accordance with

established procedures and in consultation with the Chair of the Governance Scrutiny Group.

The internal audit service will have an impartial, unbiased attitude and will avoid conflicts of

interest. The internal audit service is not ordinarily authorised to perform any operational duties

for the Council.

In the event that internal audit undertakes non-audit activities, safeguards will be agreed to ensure

that independence or objectivity of the internal audit activity are not impaired. This might include

a separate partner review of the work or a different team undertaking the work. Such

arrangements will be in consultation with the Governance Scrutiny Group prior to commencement.

In the event that internal audit provides assurance services where it had previously performed

consulting services, an assessment will be undertaken to confirm that the nature of the consulting

activity did not impair objectivity and safeguards will be put in place to manage individual

23

objectivity when assigning resources to the engagement. Such safeguards will be communicated to

the Governance Scrutiny Group.

Internal audit must be free from interference in determining the scope of internal auditing,

performing work and communicating results. Should any interference take place, internal audit will

disclose this to the Governance Scrutiny Group to discuss the implications.

Internal audit’s role in fraud, bribery and corruption

Management, not internal auditors are responsible for the prevention and detection of fraud,

bribery and corruption. Auditors will, however, be alert in all their work to risks and exposures that

could allow fraud or corruption as well as seeking to identify indications that fraud and corruption

may have been occurring. Audit procedures alone, even when performed with due professional

care, cannot guarantee that fraud and corruption will be detected. In the event that internal audit

suspect a fraud, this will be referred to appropriate management in the first instance and then the

audit committee.

Access to records and confidentiality

There are no limitations to internal audit’s right of access to the Council’s officers, records,

information, premises, or meetings which it considers necessary to fulfil its responsibilities.

When the auditors receive confidential information about your affairs it shall at all times be kept

confidential, except as required by law or as provided for in regulatory, ethical or other

professional pronouncements applicable. All information will be maintained in line with appropriate

regulations, for example the Data Protection Act 1998.

Coordination and reliance with other assurance providers

In co-ordinating activities internal audit may rely on the work of other assurance and consulting

service providers.

A consistent approach is adopted for the basis of reliance and internal audit will consider the

competency, objectivity, and due professional care of the assurance and consulting service

providers. Due regard will be given to understanding of the scope, objectives and results of the

work performed by other providers of assurance and consulting services.

Where reliance is placed upon the work of others, internal audit is still accountable and responsible

for ensuring adequate support for conclusions and opinions reached by the internal audit activity.

Internal audit’s commitments to Rushcliffe Borough Council

Internal audit commits to the following:

• working with management to improve risk management, controls and governance within

the organisation

• performing work in accordance with PSIAS

• complying with the ethical requirements of PSIAS

• dealing in a professional manner with the Council staff, recognising their other

commitments and pressures

• raising issues as they are identified, so there are no surprises and providing practical

recommendations

24

• liaising with external audit and other regulators to maximise the assurance provided to

Rushcliffe Borough Council

• Reporting honestly on performance against targets to the Governance Scrutiny Group.

Internal audit performance measures and indicators

The tables on the right contain some of the performance measures and indicators that are

considered to have the most value in assessing the efficiency and effectiveness of internal audit.

The Governance Scrutiny Group should approve the measures which will be reported to each

meeting and / or annually as appropriate. In addition to those listed here we also report on

additional measures as agreed with management and included in our Progress Report.

Quality assurance and improvement programme

As required by PSIAS an external assessment of the service will be performed at least every five

years. BDO also has an internal quality assurance review process in place, which takes place

annually. This is performed by a separate team independent to the internal audit team.

The results of internal and external assessments will be communicated to the Governance Scrutiny

Group as part of the internal audit annual report, along with corrective action plans.

Measure / Indicator

Audit Coverage

Annual Audit Plan delivered in line with timetable

Actual days are in accordance with Annual Audit Plan

Relationships and customer satisfaction

Customer satisfaction reports – overall average score at least 3.5 / 5 for surveys issued at the end

of each audit.

Annual survey to Governance Scrutiny Group to achieve score of at least 70%

External audit can rely on the work undertaken by internal audit (where planned)

Staffing and Training

At least 60% input from qualified staff

Audit Reporting

Issuance of draft report within 3 weeks of fieldwork `closing’ meeting

Finalise internal audit report 1 week after management responses to report are received.

Table One: Performance measures for internal audit

25

Audit Quality

High quality documents produced by the auditor that are clear and concise and contain all the

information requested.

Positive result from any external review

Management and staff commitments to Internal Audit

The management and staff of Rushcliffe Borough Council commit to the following:

• providing unrestricted access to all of Rushcliffe Borough Council’s records, property, and

personnel relevant to the performance of engagements

• responding to internal audit requests and reports within the agreed timeframe and in a

professional manner

• implementing agreed recommendations within the agreed timeframe

• being open to internal audit about risks and issues within the organisation

• not requesting any service from internal audit that would impair its independence or

objectivity

• providing honest and constructive feedback on the performance of internal audit

Management and staff performance measures and indicators

The following three indicators are considered good practice performance measures but we go

beyond this and report on a suite of measures as included in each Governance Scrutiny Group

progress report.

Measure / Indicator

Response to Reports

Audit sponsor to respond to terms of reference within one week of receipt and to draft reports

within two weeks of receipt

Implementation of recommendations

Audit sponsor to implement all audit recommendations within the agreed timeframe

Co-operation with internal audit

Internal audit to confirm to each meeting of the Governance Scrutiny Group whether appropriate

co-operation has been provided by management and staff

Table Two: Performance measures for management and staff

26

Name Grade Telephone Email

Greg

Rubins

Partner 07710703441 Greg.Rubins@bdo.co.uk

Gurpreet

Dulay

Internal

Audit Senior

Manager

07870555214 Gurpreet.Dulay@bdo.co.uk

Yasmin

Ahmed

Internal

Audit

Assistant

Manager

07970027030 Yasmin.Ahmed@bdo.co.uk

BDO contacts

FOR MORE INFORMATION:

GREG RUBINS Greg.Rubins@bdo.co.uk

This publication has been carefully prepared, but it has been written in general terms and should be seen as broad guidance only. The publication cannot be relied upon to cover specific situations and you should not act, or refrain from acting, upon the information contained therein without obtaining specific professional advice. Please contact BDO LLP to discuss these matters in the context of your particular circumstances. BDO LLP, its partners, employees and agents do not accept or assume any liability or duty of care for any loss arising from any action taken or not taken by anyone in reliance on the information in this publication or for any decision based on it.

BDO LLP, a UK limited liability partnership registered in England and Wales under number OC305127, is a member of BDO International Limited, a UK company limited by guarantee, and forms part of the international BDO network of independent member firms. A list of members' names is open to inspection at our registered office, 55 Baker Street, London W1U 7EU. BDO LLP is authorised and regulated by the Financial Conduct Authority to conduct investment business.

BDO is the brand name of the BDO network and for each of the BDO Member Firms.

BDO Northern Ireland, a partnership formed in and under the laws of Northern Ireland, is licensed to operate within the international BDO network of independent member firms.

© 2020 BDO LLP. All rights reserved.

www.bdo.co.uk